- Seeking a more practical and flexible EU digital regulation landscape: The European Commission seeks to consolidate overlapping aspects of the GDPR, the EU AI Act, and other EU
Digital Omnibus: EU Commission Proposes to Streamline GDPR and EU AI Act
CJEU Confirms Personal Data as a Relative Concept
The CJEU rules that personal data can be pseudonymous in the hands of one party and anonymous in the hands of another.
By Myria Saarinen, Tim Wybitul, Wolf-Tassilo Böhm, Isabelle Brams, Gail Crawford, Fiona M. Maclean, Danielle van der Merwe, and Amy Smyth
The Court of Justice of the European Union (CJEU) has delivered its judgment in case C-413/23 EDPS v. SRB, addressing questions on the scope of personal data regulated by
UK Adequacy Holds Firm Under New Data (Use and Access) Act 2025
The DUAA introduces several reforms to UK data protection law, but their implications are relatively limited in practice.
By Gail E. Crawford, Fiona M. Maclean, Danielle van der Merwe, Calum Docherty, and Amy Smyth
The Data (Use and Access) Act 2025 (the DUAA) was enacted on 19 June 2025 and amends rather than replaces the existing UK data protection regime. In particular, it introduces several targeted amendments to the UK GDPR, the Data Protection Act 2018
GDPR Fines to Be Determined by Reference to Global Turnover of Corporate Group
The CJEU has decided that the maximum thresholds for GDPR fines should be calculated using the global turnover of the broader corporate group, not solely the infringing entity.
By Gail Crawford, Fiona M. Maclean, Myria Saarinen, Tim Wybitul, Isabelle Brams, and Amy Smyth
The penalties provisions of the EU General Data Protection Regulation (GDPR) include a framework for the calculation of the fines that may be imposed on infringing organisations by national supervisory authorities and
EDPB Issues Guidelines on Processing Personal Data for Legitimate Interests Purposes
The draft guidelines provide further clarification to the EDPB’s interpretation of legitimate interests, and suggest a potential divergence with the UK ICO.
By Gail Crawford, Fiona Maclean, Myria Saarinen, Tim Wybitul, Alice Brunning, and Calum Docherty
On 8 October 2024, the European Data Protection Board (EDPB) released draft Guidelines 1/2024 (the Guidelines) setting out its approach to processing personal data based on the “legitimate interests” legal basis in Article 6(1)(f) of the GDPR. The Guidelines
UK ICO Unveils New Fine Calculation Guide for Data Protection Infringements
Understanding the ICO’s approach to assessing financial penalties should be a key element of an organisation’s data protection strategy and risk profile.
By James Lloyd and Sami Qureshi
In an era when data protection infringements can tarnish business reputations overnight, understanding the financial ramifications is more crucial than ever. The UK’s Information Commissioner’s Office (ICO) recently unveiled its much-anticipated updated guidance on the calculation of fines for data protection infringements under the UK General Data Protection Regulation (UK GDPR) and
Six Months Until Enforcement: Key Compliance Steps for Saudi Arabia’s Data Protection Law
The PDPL has broad extraterritorial scope and substantial penalties for non-compliance, with full enforcement expected to start in September.
By Brian A. Meenagh and Lucy Tucker
The Personal Data Protection Law (PDPL) is the first comprehensive data protection law in Saudi Arabia. The Saudi Data and Artificial Intelligence Authority (SDAIA) is expected to start full enforcement of the PDPL from 14 September 2024, after the current compliance transition period ends. SDAIA emphasised that it expects entities to take measures to achieve compliance with the PDPL by the September deadline.
India’s Digital Personal Data Protection Act 2023 vs. the GDPR: A Comparison
Companies subject to India’s new data protection law should assess practical implications.
By Gail Crawford, Fiona Maclean, Danielle van der Merwe, Kate Burrell, Bianca H. Lee, Alex Park, Irina Vasile, and Amy Smyth
The Indian parliament enacted India’s first comprehensive data protection law on 11 August 2023, namely the Digital Personal Data Protection Act 2023 (the DPDPA). The DPDPA will replace India’s existing patchwork of data protection rules[i] and is expected to trigger significant changes in how companies subject to Indian data protection laws process personal data. However, the law is not yet operational; no effective date has been established and there is no official timeline for the overall implementation. Stakeholders expect the law to come into force in a phased manner in the next six to 12 months, after:
- an independent agency responsible for enforcing the DPDPA — the Data Protection Board of India (the Data Protection Board) — is established; and
- the Indian government has framed the subordinate rules (which are expected to provide interpretative guidance on procedural steps and enforcement methodology).
The DPDPA is “umbrella” legislation, as it sets out only a high-level framework for India’s new data protection regime, with supplementary rules expected in due course. Though the new law is not yet operational, companies subject to the new law are advised to begin assessing potential practical implications at an early stage.
CNIL Fines Health Website for Unlawful Data Processing
The French Data Protection Authority imposed a €280,000 fine for GDPR infringements and a €100,000 fine for violation of French cookie rules.
On 11 May 2023 the French Data Protection Authority (the CNIL) handed down its decision on the health website Doctissimo, imposing a €280,000 fine for the infringement of four provisions of the GDPR and an additional €100,000 fine for the violation of Article 82 of the French Data Protection Act (the French Cookies Rule).
Founded in 2000 by medical doctors, Doctissimo is one of the most widely visited health and well-being websites in France, with the majority of visitors located in France and Belgium. The website hosts articles, tests, quizzes, and forums related to health and well-being.
Irish Data Protection Commission Orders Meta Ireland to Suspend Facebook Data Transfers to the US and Imposes Record GDPR Fine of €1.2 Billion
By Ian Felstead, Gail Crawford, Serrin Turner, Tim Wybitul, and Hayley Pizzey[1]
The final decision of the Irish Data Protection Commission (IDPC) in relation to the transfers of EU/EEA Facebook user data by Meta Platforms Ireland Limited (Meta Ireland) to its processor, Meta Platforms, Inc., in the US (the Transfers)[2] was published on 22 May 2023 (IDPC Decision).[3]
The IDPC found that the Transfers, made pursuant to Standard Contractual Clauses (SCCs), did not comply with Article 46(1) GDPR, as the SCCs together with the supplementary measures implemented “do not compensate for the deficiencies in US law in issue”. The IDPC also found that the Transfers could not be made pursuant to any of the derogations under Article 49(1) GDPR. In particular, the IDPC concluded that the “contractual necessity” derogation could not be relied on by Meta Ireland “to justify the systematic, bulk, repetitive and ongoing transfers to the US”.
In light of these conclusions, the IDPC made an order suspending the Transfers (the Suspension Order).